OWASP security issue with jackson-databind-2.9.8 jar - security

I have a maven web project(RESTful, Spring Rest/data) running in Java 8(tomcat 8.5.5) and using 'jackson-databind-2.9.8.jar'. When the Dependency Check Tool(Checks vulnerable jar version and generates report) is run against the libraries the project is using, it showed 'jackson-databind-2.9.8.jar' as Vulnerable(Reference- https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.9.8)
Problem:- Changing to 'jackson-databind-2.10.0.jar' version fixes OWASP security issue(running Dependency Check Tool) but, when project is build and run it throws error since 2.10.0 uses jdk9+ complaint classes(Reference- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)
What should be done to resolve the issue, can we make the project compile in Java 8 and run in JDK11(since JDK9 is out of support) or something else should be done? Please suggest.
Thanks in advance!

CVE-2019-12086 is fixed in jackson-databind-2.9.9.jar .
See the report: https://nvd.nist.gov/vuln/detail/CVE-2019-12086
Maven repo for 2.9.9 : https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9

Related

Java Hosting Package can't be installed

I'm trying to install the Java Hosting Package distributed by Helicon Zoo in order to host a java project (.war file) on IIS. The problem I'm having is that I can't install the package because Jetty 8 can't be installed.
At first it complained about Jetty 7 aswell but after I downloaded it, that was removed. This didn't however work for Jetty 8.
Error message on web platform installer (Screenshot):
http://imgur.com/qUgH5dW
Has anyone seen this before and possibly fixed it?
Hmm, It seems as if the url that the package is trying to fetch Jetty from: dist.codehaus.org/jetty/jetty-hightide-8.1.7/… has been shut down. I removed Jetty8 (which I manually installed to try to fix the issue, and downloaded it again from download.eclipse.org/jetty. This seems to have fixed the issue. Don't know what the issue was with the first download but maybe it was corrupt.

pom file java version spec for Maven

I am a new user to Maven, as I am trying to use it to build apache spark on amazon EC2 VMs. I have mannually installed java version 1.7.0 on the VMs. However as I was running the Maven, the following error occurs:
Failed to execute goal net.alchim31.maven:scala-maven-plugin:3.2.0:testCompile (scala-test-compile-first) on project spark-core_2.10: Execution scala-test-compile-first of goal net.alchim31.maven:scala-maven-plugin:3.2.0:testCompile failed. CompileFailed
As I think the java version mismatch is the potential reason, causing the compiling problem. I opened up the pom file of the spark for maven tool, it has declared java related version in two seperate places:
<java.version>1.6</java.version>
and
<aws.java.sdk.version>1.8.3</aws.java.sdk.version>
What are the differences between these two versions?
Which one should be edited to solve the jave version mismatch?
It's two different things
<java.version>1.6</java.version>
is the java version used and
<aws.java.sdk.version>1.8.3</aws.java.sdk.version>
is the AWS SDK for Java version used.
The minumum requirement of AWS SDK 1.9 is Java 1.6+ so there is no compatibility issues.

javafx deployment using java 6

I just package my JavaFX app using the provided tool. But when I try to run it using java -jar app.jar I get a message asking me to install a newer Java version. I'm using 6u33 withfx 2.2beta` in development environment and is running fine. So, my question is, what is the required config to run under Java 6?
Here is my package command:
\javafx-sdk2.2.0-beta\bin\javafxpackager.exe -createjar -appClass gui.principal.FrmPrincipal -classpath lib\jfxrt.jar;lib\antlr-2.7.7.jar;lib\dom4j-1.6.1.jar;lib\hibernate-commons-annotations-4.0.1.Final.jar;lib\hibernate-core-4.1.4.Final.jar -srcdir classes -outdir dist -outfile Etransporte.jar -V
Thanks!
Well, a couple of hours later I downloaded the final version of JavaFX SDK and installed it over my Java 6u33 SDK and everything worked fine since then. So, upgrade is the rule.
No need to use the beta sdk, use the production sdk. The beta sdk may have unresolved bugs and is not suitable for packaging applications for general deployment.
Just some general info, I think you probably have most of this covered already, but something might be useful.
Here is a sample batch script for packaging a javafx application with javafxpackager.exe. Offhand the command you are running looks fine.
Ensure that the java system and javafx installation on your test machine are both the same bit architectures (e.g. 32bit or 64bit). Also jre6+javafx2.2 is only supported on Windows machines, not Linux or Mac.
Note that if your client machine only has jre 6 installed and not the JavaFX runtime, then it is expected when you run your packaged app on that system that it will provide some prompt and help to allow the user to install the JavaFX runtime on the client.
Also note, that not all versions of jre6 are supported by JavaFX 2.2, it must be a recent version of jre6 (2.2 requires Java SE 6 Update 33). It does seem that you are running the right minimum version.

Groovy plugin installation fails in STS 2.5.2 and 2.7

I have tried installing Groovy plugin via STS's dashboard install feature in both 2.7 (the version I downloaded initially which was the latest version at the time). My colleague recommended downloading 2.5.2, the version he is using, so I did; however the Groovy plugin installer still fails. It starts with:
Cannot complete the install because of a conflicting dependency.
Software being installed: Groovy-Eclipse Feature 2.5.2.xx-20110808-1400-e36 (org.codehaus.groovy.eclipse.feature.feature.group 2.5.2.xx-20110808-1400-e36)
Windows 7 64B
groovy v 1.8.2
grails v 1.3.7
jvm 1.6.0_26
Greatly appreciate any hints/recommendations/ideas. THANK YOU!
Make sure that your STS install is in a directory where the current user has write permissions. Also, there is a problem with installing into the Program Files directory (it is not really writable, even if you think it is).
The reason for this problem is the feature patch that comes with Groovy-Eclipse must be installed into the same directory as the rest of STS (an Eclipse limitation). This patch is the thing that patches the jdt compiler so that it can also compile groovy code.

Using cucumber with jruby

I'm working on my company's intranet with
cucumber 0.8.5
gherkin 2.1.5
And I'm trying to switch from using ruby 1.8.7 to jruby 1.5.1
However, whenever I try to run cucumber from jruby, I get an error:
% jruby -S cucumber
/usr/local/src/jruby-1.5.1/lib/ruby/site_rub/1.8/rubygems/custom_require.rb:31:in `require': no such file to load -- gherkin (LoadError)
I think this is b/c gherkin 2.1.5 is a native extension, and jruby can't handle it:
% jgem install gherkin-2.1.5.gem
...
ERROR: Error installing gherkin-2.1.5.gem:
ERROR: Failed to build gem native extension.
Now, I'd love to just try updating versions, but since this is on a protected intranet, importing new software is a PITA, and takes some time.
Does anyone have any suggestions of how I can make the software I have work? Am I missing a proper configuration setting or some such?
You need to install the JRuby version of gherkin. If you simply do
jgem install gherkin
you will get the correct version automatically. Otherwise, you have to figure out the URI to the JRuby version of the gherkin gem yourself and download it by hand.
But really, there is only one sensible thing you can do if you are working for a company that asks you to do a job and then ties your hands behind your back: run, as fast as you can, as far away as you can.

Resources